I am working on creating a custom report that looks for failed logins (that we consider more of a threat than a user fat-fingering their password), with the Status & Sub Status Codes that are now logged in Windows Vista +
To do so, I need to find the right data in the nDepth. It appears that what I want isn't really stored in LEM.
The Event ID 4625 gives a little bit more than what I want. If the username is correct... that is no concern for this report, but if someone keeps logging in with
- guessed usernames
- while accounts are disabled
- after hours
we have a problem.
I am looking for the following failed logons:
| Status and Sub Status Codes | Description (not checked against "Failure Reason:") |
| 0xC0000064 | user name does not exist |
| 0xC0000072 | account is currently disabled |
| 0xC000006F | user tried to logon outside his day of week or time of day restrictions |
| 0xC0000070 | workstation restriction |
| 0xC0000193 | account expiration |
| 0xC0000071 | expired password |
| 0xC0000133 | clocks between DC and other computer too far out of sync |
| 0xC0000224 | user is required to change password at next logon |
| 0xC0000225 | evidently a bug in Windows and not a risk |
| 0xc000015b | The user has not been granted the requested logon type (aka logon right) at this machine |
Is there a way to retrieve this or make sure that it is logged in LEM?
Thank you
